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CLAIMS 



We claim: 

^ 1 . A method for testing security of a cryptography device performing a 
cryptographicNalgorithm, comprising the steps of: 

a. generating a faulty computation in the cryptography device; 

b. receiving the faulty computation in a processor; and 

c. using the faulty computation, the processor determining heretofore 
* secret information stored in the cryptography device. 

2. The method of claim l\ wtferein the faulty computation is intentionally 
generated. V \ 

3. The method of claim 2, whereJn the faulty computation is intentionally 
generated by subjecting the cryptograbhy device to a physical stress. 

4. The method of claim 3, wherein the step of subjecting the cryptography 
device to physical stress further includes subjecting the cryptography device to 
at least one of radiation, an atypical voltage level\and a higher clock speed than 
the cryptography device was designed to accommodate. 

5. The method of claim 1 , further comprising the step of transmitting the 
faulty computation from the cryptography device to a second cryptography 
device housing the processor. \ 
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6. The foethod of claim 1 , wherein the cryptographic algorithm generates 
a digital signature which may be separated into linear components, wherein the 
step of determining heretofore secret information further comprises the 
processor comparing an erroneous signature having the generated fault on a 
digital message witsh a correct digital signature on the same digital message. 

7. The method of claim 1 , wherein the faulty computation is generated by 
inverting at least one bmstored in a register of the cryptography device. 

8. The method of claim A wherein the step of determining heretofore secret 
information further comprises]!™ processor comparing a correct value and an 
erroneous value containingV"^me\induced fault to determine the secret 
information. J \ 

9. The method of claim 1 , wherem the cryptographic algorithm generates 
a digital signature, wherein the methockfurther comprises the steps of: 

a. the step of generating a faulty computation further comprises 
inducing a faulty computation\ in a plurality of digital messages; 
and \ 

b. the step of determining heretofore secret information further 
comprises: \ 

(i) the processor using a first faultYto determine heretofore 
secret information; \ 
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(ii) \ the processor constructing sets of data for the 

\ cryptography device; 

(iii) \the processor receiving from the cryptography device 

responses to the sets of data; and 

(iv) the processor using the heretofore secret information and 
the responses to determine a secret key. 

10. The method of cJaim 1, wherein the cryptographic algorithm is an 
authentication algorithm, Wherein: 

a. the step of receiVixig the faulty computation comprises receiving 
the faulty computation in response to a challenge; and 

b. the step qt determining heretofore secret information further 
comprises the processor using the faulty computation to determine 
a single bit of heretofore secret information; and 

c. repeating steps (a) arad (b) above to determine a plurality of bits of 
secret information. \ 

11. A method for testing the security of a cryptography device which 
performs a cryptographic algorithm which generates a digital signature which 
may be separated into linear components, the method comprising the steps of: 

a. storing in a memory a correct digital signature E for a message m 
generated by the cryptography device; 

b. storing in the memory an incorrect digital signature £ for the 
message m generated by the cryptography device; and 
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c\ using E and £, a processor determining heretofore secret 
\ information. 

1 2. The method of claim 1 1 , wherein method is performed by the processor, 
the method furthV comprising the steps of: 

a. the crybtography device sending E to the processor; and 

b. the step \i determining heretofore secret information further 
comprises \he first processor determining heretofore secret , 
information stored in the cryptography device. 

13. The method of claim wherein the step of determining heretofore 
secret information further/ comprises the processor determining secret 
information q stored in the (cryptography device using: 

gcd(£-£, A/)=qr \ 
wherein N is a product of prime numbers, arid one of the prime numbers is qr. 

14. A method for testing the security of a cryptography device performing 
cryptographic authentication algorithm, the method comprising the steps of: 

a. receiving from the cryptography device^a value r 2 mod N, wherein 
r is a random number and N is a secret value which is a product 
of prime numbers; \ 
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generating a subset of integers S and providing the subset S to 
the cryptography device; 

receiving from the cryptography device y = {r + E)n i€S s t in response 
to the subset S, wherein y is an erroneous value, s ; is a secret 
exponent used to encrypt, and £ is a value added to r due to an 
error; 

d. a processor determining a value of E by computing: 



(mod N) 
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10 wherein v t = s, 2 

e. the processor determining a value of r by computing: 

(x+£) 2 -r 2 =2Rk+£ 2 (mod N) 



and 
f. 



using the values of E and r, the processor determining s, by 
computing: 



n. s i = -^z (mod N) 
ies 1 r+E 
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15. \The method of claim 14, wherein the step of determining s ; further 
includesVhe step of the cryptography device computing: 
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(mod N) . 
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1 6. The method of ojaim 1 4, further comprising the step of verifying whether 
the value of E is correct. 

1 7. The method of claim 1 6\ >A/f^erein the step of verifying further includes 
the step of using the subset S toj^^i^fmine whether the value of E satisfies the 
relation (y') 2 = (r') 2 T 2 ; 
wherein T is a guessed value fbr r\ i€S s, 

18. The method of claim 14, further comi^ising the steps of: 

a. the processor generating a plurafity\of subsets 5; 

b. the processor receiving a value in respbnse to each subset S; and 

c. using known values and the response vahje to each subset S, the 
processor determining heretofore secret information. 



19. The method of claim 18, wherein the step of generating tjne plurality of 
subsets S further comprises generating singleton sets. 



46 



# m 

2(A A method for testing the security of a cryptography device performing 
a cryptographic authentication algorithm by determining secret information 
comprising a number of bits, the method comprising the steps of: 

a. \ a processor obtaining an erroneous digital signature £; 

b. \he processor selecting a block length; 

c. tnb processor determining a candidate vector ivthat matches all 
known bits of the secret information and is zero everywhere else; 

d. the processor determining if the candidate vector w is correct; 

e. if the candidate vector w is correct, the processor outputting a 
value for thWs^elected block length; and 

f . if the candidgj&^ector w is incorrect, the processor determining 
another canpidatte vector. 

21. The method of claim 20, wherein steps (c) - (f) are performed for a 
plurality of block lengths. \ 

22. The method of claim 20, wherein the stetD of determining the candidate 
vector w further comprises determining: \ 

wherein k f is a time at which an error may have occurred; s^s a bit which may 
be incorrect; r is a possible blocklength; and u is a bit which may be incorrect. 
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23. \ The method of claim 20, wherein the step of determining if the candidate 
vector\v is correct further comprises determining: 

3ee{0 # . . . ,23} s.t. (Sj±2 e ittj) ^^Wj (mod N) 
wherein e V a public exponent; 
5 n = aXnumber of bits in the secret information; 

m j = is aVnessage; 

e, = is a public signature verification exponent; and 
N = a product \f prime numbers. 



u y jo 24. A method for testing thve security of a first cryptography device 
performing cryptographic ^u^h^ntication algorithm by using a second 
cryptography device to determim^ secret information comprising a number of 
bits stored in the first cryptography device, the method comprising the steps 
of: 

15 a. the second cryptography device sending to the first cryptography 

device a challenge f; 

b. the first cryptography device receiving t and generating a response 
u = r+ts mod p, wherein: 

r is a random number selected by thd^first cryptography device; 
20 s is the first cryptography device's sec^t key; and 

p is a large prime number; 

c. the second cryptography device receiving £/;\ 

d. the first cryptography device receiving t again ^nd generating a 
response D = ?+x mod p, wherein: 
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f is an erroneous value of r and x is ts mod p; and 
the second cryptography device receiving 0 and determining a 
location of the error. 

25. The method of claim 24, wherein the step of determining the location of 
the error further comprises the steps of trying all possible locations of the error. 

26. The method of cmim 25, wherein the step of trying all possible locations 
further includes the step of determining which location for the error satisfies: 

S'V^Y"* 9 r 9 x (mod p) 

wherein: 

g is a generator of Z\ ;Jan£ 
/ is a location of the erfor. 

27. A cryptography device produced according to the steps of: 

a. generating a faulty computationvin the cryptography device; 

b. receiving the faulty computation in\a processor; and 

c. using the faulty computation, verifying that the processor cannot 
determine secret information stored in the cryptography device. 



28. The device of claim 27, further comprising providing^ the cryptography 
device before generating the faulty computation. 
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29. \ The device of claim 27, wherein the faulty computation is intentionally 
generated during testing of the cryptography device. 



30. The device of claim 29, wherein the faulty computation is intentionally 
generated during testing of the cryptography device by subjecting the 
cryptography device to a physical stress. 

3,1 . The device of clsrtm 29, wherein the step of subjecting the cryptography 
device to physical stress further includes subjecting the cryptography device to 
at least one of radiation, an a\ypical voltage level, and a higher clock speed than 
the cryptography device was oeslgned to operate on. 

32. The device of claim 27, whetein the cryptography device performs a 
cryptographic algorithm which generates a digital signature which may be 
separated into linear components, wherein the step of verifying that the 
processor cannot determine secret informationNfurther comprises the processor 
verifying that an erroneous digital signature having the generated fault on a 
digital message cannot be compared with a correct signature on the same 
digital message. \ 

33. The device of claim 27, wherein the faulty computation is generated by 
inverting at least one bit stored in a register of the cryptography device. 
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34. V The device of claim 33, wherein the step of verifying that the processor 
cannot determine heretofore secret information further comprises verifying that 
the processor cannot compare a correct value and an erroneous value 
containingvthe induced fault to determine the secret information. 
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35. A cryptography device that is impervious to a hardware fault-based 
attack, which attack comprises the steps of: 

a. generating a faulty computation in the cryptography device; 

b. receiving the, faulty computation in a processor; and 

c. using the faultjkp&^putation, the processor determining secret 
information stored irr'the cryptography device. 
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36. The device of claim 35, further comprising providing the cryptography 
device before generating the faulty computation. 



37. The device of claim 35, wherein the faulty computation is intentionally 
generated during testing of the cryptography device. 



38. The device of claim 37, wherein the faulty computation is intentionally 
20 generated during testing of the cryptography devic^ by subjecting the 
cryptography device to a physical stress. 
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39. The device of clairrv3£^ wherein the step of subjecting the cryptography 
device to physical stress further N i<TC#udes subjecting the cryptographic device 
to at least one of radiation, an atyfttG^%xltage level, and a higher clock speed 
than the cryptography device was designed to opiate on. 
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